CAEP Hub Actions are the resulting layer of your CAEP Hub Rules and Workflows — they carry out real changes against identity providers, infrastructure, and SaaS applications in response to trigger conditions. SGNL provides dozens of out-of-the-box actions covering standards-based CAEP/SSF event transmission as well as proprietary APIs for leading platforms including Microsoft Entra ID, AWS, Okta, Salesforce, and more.
One or more parameter expressions can appear anywhere in an action field — including the address override field — letting you build fully dynamic requests from triggered graph data, or action responses. Examples of use can be found here.
Below is the list of supported Actions in CAEP Hub, with their inputs and outputs.
Protected System Type: AzureAD-1.0.0
| Setting | Value |
|---|---|
| Address | https://graph.microsoft.com/v1.0 |
| Authentication | OAuth2 Client Credentials (recommended) or OAuth2 Authorization Code |
For Authorization Code Flow, ensure the offline_access scope is configured in addition to https://graph.microsoft.com/.default.
nameKey: aad-add-to-group
Description: Add a user to a group in Azure Active Directory
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userPrincipalName | Yes | text | UPN of the user to add | [email protected] |
groupId | Yes | text | Azure AD Group ID (GUID) | 89a3f3e2-1234-5678-abcd-ef1234567890 |
address | No | text | Azure AD API base URL override | https://graph.microsoft.com/v1.0 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result (success, failed, recovered, etc.) |
userPrincipalName | text | User Principal Name that was processed |
groupId | text | Azure AD Group ID that was processed |
added | boolean | Whether the user was successfully added to the group |
message | text | Additional context (e.g., user already a member) |
address | text | The Azure AD API base URL used |
nameKey: aad-assign-role-to-user
Description: Assign a directory role to a user in Azure Active Directory
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userPrincipalName | Yes | text | UPN of the user to assign the role to | [email protected] |
roleId | Yes | text | Directory role ID (GUID) | 62e90394-69f5-4237-9190-012177145e10 |
directoryScopeId | No | text | Directory scope for the assignment (default /) | / |
justification | No | text | Reason for the role assignment | Approved by SGNL.ai |
address | No | text | Azure AD API base URL override | https://graph.microsoft.com/v1.0 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userPrincipalName | text | User principal name that was processed |
roleId | text | Role ID that was assigned |
userId | text | User’s directory object ID |
requestId | text | Role assignment request ID |
address | text | The Azure AD API base URL used |
nameKey: aad-disable-user
Description: Disable a user account in Azure Active Directory
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userPrincipalName | Yes | text | UPN of the user to disable | [email protected] |
address | No | text | Azure AD API base URL override | https://graph.microsoft.com/v1.0 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userPrincipalName | text | The user principal name that was disabled |
accountEnabled | boolean | Account enabled status (should be false) |
address | text | The Azure AD API base URL used |
nameKey: aad-enable-user
Description: Enable a user account in Azure Active Directory
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userPrincipalName | Yes | text | UPN of the user to enable | [email protected] |
address | No | text | Azure AD API base URL override | https://graph.microsoft.com/v1.0 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userPrincipalName | text | The user principal name that was enabled |
accountEnabled | boolean | Account enabled status (should be true) |
address | text | The Azure AD API base URL used |
nameKey: aad-remove-from-group
Description: Remove a user from a group in Azure Active Directory
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userPrincipalName | Yes | text | UPN of the user to remove | [email protected] |
groupId | Yes | text | Azure AD Group ID (GUID) | 89a3f3e2-1234-5678-abcd-ef1234567890 |
address | No | text | Azure AD API base URL override | https://graph.microsoft.com/v1.0 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userPrincipalName | text | The user principal name that was processed |
groupId | text | The group ID that was processed |
removed | boolean | Whether the user was successfully removed |
userId | text | The Azure AD object ID of the user |
message | text | Optional context message |
address | text | The Azure AD API base URL used |
nameKey: aad-revoke-session
Description: Revoke all Azure AD sign-in sessions for a user
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userPrincipalName | Yes | text | UPN of the user whose sessions should be revoked | [email protected] |
address | No | text | Azure AD API base URL override | https://graph.microsoft.com/v1.0 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userPrincipalName | text | The user principal name whose sessions were revoked |
value | boolean | true if revocation was successful |
address | text | The Azure AD API base URL used |
nameKey: aad-unassign-role-from-user
Description: Remove a directory role from a user in Azure Active Directory
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userPrincipalName | Yes | text | UPN of the user to remove the role from | [email protected] |
roleId | Yes | text | Directory role ID to remove | 62e90394-69f5-4237-9190-012177145e10 |
directoryScopeId | No | text | Directory scope for the role assignment (default /) | / |
justification | No | text | Reason for removal | Removed by SGNL.ai |
address | No | text | Azure AD API base URL override | https://graph.microsoft.com/v1.0 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userPrincipalName | text | User principal name that was processed |
roleId | text | Role ID that was removed |
userId | text | User’s directory object ID |
requestId | text | Role removal request ID |
address | text | The Azure AD API base URL used |
Protected System Type: ActiveDirectory-1.0.0
| Setting | Value |
|---|---|
| Address | LDAP(S) server URL, e.g. ldaps://ad.corp.example.com:636 |
| Authentication | Basic (LDAP bind username and password) |
Password updates (
ad-create-user,ad-update-user) require LDAPS (port 636) to transmit credentials securely.
nameKey: ad-add-to-group
Description: Add a user to a group in on-premise Active Directory via LDAP
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
baseDN | Yes | text | Base DN to search for the user | DC=corp,DC=example,DC=com |
samAccountName | Yes | text | User’s sAMAccountName | alice |
groupDN | Yes | text | Distinguished Name of the target group | CN=Admins,OU=Groups,DC=corp,DC=example,DC=com |
address | No | text | LDAP server URL override | ldaps://ad.corp.example.com:636 |
dry_run | No | boolean | Validate without making changes | false |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result (success, dry_run_completed, halted) |
userDN | text | Resolved Distinguished Name of the user |
groupDN | text | Distinguished Name of the group that was processed |
added | boolean | Whether the user was newly added to the group |
baseDN | text | The base DN used to search for the user |
samAccountName | text | The sAMAccountName used to identify the user |
message | text | Additional status message or error details |
address | text | The LDAP server URL that was used |
nameKey: ad-create-group
Description: Create a new group in on-premise Active Directory via LDAP
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
groupDN | Yes | text | Distinguished Name for the new group | CN=My Group,OU=Groups,DC=example,DC=com |
samAccountName | Yes | text | SAM account name for the group | MyGroup |
description | No | text | Group description | SGNL-managed group |
groupType | No | text | security or distribution (default security) | security |
groupScope | No | text | global, domain_local, or universal (default global) | global |
managedBy | No | text | DN of the managing user or group | CN=Admin,OU=Users,DC=example,DC=com |
additionalAttributes | No | text | JSON object of additional LDAP attributes | {"info":"managed by SGNL"} |
dry_run | No | boolean | Validate without making changes | false |
successIfAlreadyExists | No | boolean | Return success if group already exists | false |
address | No | text | LDAP server URL override | ldaps://ad.corp.example.com:636 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result (success, halted, dry_run_completed) |
groupDN | text | Distinguished Name of the created group |
created | boolean | Whether the group was created |
alreadyExisted | boolean | true if group already existed (when successIfAlreadyExists is enabled) |
groupType | text | Type of group created |
groupScope | text | Scope of group created |
attributes | array | List of attribute names that were set |
address | text | LDAP server address used |
nameKey: ad-create-user
Description: Create a new user in on-premise Active Directory via LDAP
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userDN | Yes | text | Distinguished Name for the new user | CN=Alice Smith,OU=Users,DC=example,DC=com |
samAccountName | Yes | text | SAM account name (sAMAccountName) | alice.smith |
userPrincipalName | Yes | text | User Principal Name | [email protected] |
firstName | Yes | text | First name (givenName) | Alice |
lastName | Yes | text | Last name (sn) | Smith |
displayName | No | text | Display name | Alice Smith |
email | No | text | Email address (mail) | [email protected] |
company | No | text | Company name | Acme Corp |
department | No | text | Department | Engineering |
title | No | text | Job title | Engineer |
enabled | No | boolean | Create account as enabled (default false) | true |
password | No | text | Initial password (requires LDAPS) | TempP@ssw0rd! |
changePasswordAtNextLogin | No | boolean | Force password change on first login | false |
additionalAttributes | No | text | JSON object of additional LDAP attributes | {"telephoneNumber":"555-1234"} |
dry_run | No | boolean | Validate without making changes | false |
successIfAlreadyExists | No | boolean | Return success if user already exists | false |
address | No | text | LDAP server URL override | ldaps://ad.corp.example.com:636 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result (success, halted) |
userDN | text | Distinguished Name of the created user |
created | boolean | Whether the user was created |
alreadyExisted | boolean | true if user already existed (when successIfAlreadyExists is enabled) |
attributes | array | List of attribute names that were set |
enabled | boolean | Whether the account was created as enabled |
address | text | LDAP server address used |
nameKey: ad-disable-user
Description: Disable an enabled user account in on-premise Active Directory via LDAP
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
baseDN | Yes | text | Base DN to search for the user | DC=corp,DC=example,DC=com |
samAccountName | Yes | text | User’s sAMAccountName | alice |
address | No | text | LDAP server URL override | ldaps://ad.corp.example.com:636 |
dry_run | No | boolean | Validate without making changes | false |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userDN | text | Resolved Distinguished Name of the user |
disabled | boolean | Whether the user was newly disabled (false if already disabled) |
previousUAC | number | userAccountControl value before the operation |
newUAC | number | userAccountControl value after the operation |
baseDN | text | The base DN used to search for the user |
samAccountName | text | The sAMAccountName used to identify the user |
address | text | The LDAP server URL that was used |
nameKey: ad-enable-user
Description: Enable a disabled user account in on-premise Active Directory via LDAP
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
baseDN | Yes | text | Base DN to search for the user | DC=corp,DC=example,DC=com |
samAccountName | Yes | text | User’s sAMAccountName | alice |
address | No | text | LDAP server URL override | ldaps://ad.corp.example.com:636 |
dry_run | No | boolean | Validate without making changes | false |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userDN | text | Resolved Distinguished Name of the user |
enabled | boolean | Whether the user was newly enabled (false if already enabled) |
previousUAC | number | userAccountControl value before the operation |
newUAC | number | userAccountControl value after the operation |
baseDN | text | The base DN used to search for the user |
samAccountName | text | The sAMAccountName used to identify the user |
address | text | The LDAP server URL that was used |
nameKey: ad-move-user
Description: Move a user to a new parent container/OU in Active Directory via LDAP
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
baseDN | Yes | text | Base DN to search for the user | DC=corp,DC=example,DC=com |
samAccountName | Yes | text | User’s sAMAccountName | alice |
newParentDN | Yes | text | Target container/OU DN | OU=DisabledUsers,DC=example,DC=com |
newName | No | text | New name for the user (without CN= prefix) | Alice Smith |
dry_run | No | boolean | Validate without making changes | false |
address | No | text | LDAP server URL override | ldaps://ad.corp.example.com:636 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result (success, halted, dry_run_completed) |
userDN | text | Resolved Distinguished Name of the user |
previousDN | text | Original Distinguished Name before move |
newDN | text | New Distinguished Name after move |
moved | boolean | Whether the user was moved |
renamed | boolean | Whether the user was renamed during the move |
baseDN | text | The base DN used to search for the user |
samAccountName | text | The sAMAccountName used to identify the user |
newParentDN | text | Target parent container/OU DN |
address | text | LDAP server address used |
nameKey: ad-remove-from-group
Description: Remove a user from a group in on-premise Active Directory via LDAP
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
baseDN | Yes | text | Base DN to search for the user | DC=corp,DC=example,DC=com |
samAccountName | Yes | text | User’s sAMAccountName | alice |
groupDN | Yes | text | Distinguished Name of the target group | CN=Admins,OU=Groups,DC=corp,DC=example,DC=com |
address | No | text | LDAP server URL override | ldaps://ad.corp.example.com:636 |
dry_run | No | boolean | Validate without making changes | false |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userDN | text | Resolved Distinguished Name of the user |
groupDN | text | Distinguished Name of the group that was processed |
removed | boolean | Whether the user was newly removed from the group |
baseDN | text | The base DN used to search for the user |
samAccountName | text | The sAMAccountName used to identify the user |
message | text | Additional status message or error details |
address | text | The LDAP server URL that was used |
nameKey: ad-update-user
Description: Update user attributes in on-premise Active Directory via LDAP
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
baseDN | Yes | text | Base DN to search for the user | DC=corp,DC=example,DC=com |
samAccountName | No | text | sAMAccountName of the user (required if objectGUID is not provided) | alice |
objectGUID | No | text | Immutable objectGUID (used instead of samAccountName when renaming) | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
newSamAccountName | No | text | New SAM account name if renaming | alice.smith |
userPrincipalName | No | text | New User Principal Name | [email protected] |
firstName | No | text | First name (givenName) | Alice |
lastName | No | text | Last name (sn) | Smith |
displayName | No | text | Display name | Alice Smith |
email | No | text | Email address (mail) | [email protected] |
company | No | text | Company name | Acme Corp |
department | No | text | Department | Engineering |
title | No | text | Job title | Senior Engineer |
password | No | text | New password (requires LDAPS) | NewP@ssw0rd! |
changePasswordAtNextLogin | No | boolean | Force password change on next login | false |
additionalAttributes | No | text | JSON object of additional LDAP attributes to update | {"telephoneNumber":"555-5678"} |
dry_run | No | boolean | Validate without making changes | false |
address | No | text | LDAP server URL override | ldaps://ad.corp.example.com:636 |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result (success, halted) |
userDN | text | Resolved Distinguished Name of the user |
modified | boolean | Whether user attributes were modified |
attributes | array | List of attribute names that were updated |
baseDN | text | The base DN used to search for the user |
samAccountName | text | The sAMAccountName used to identify the user |
objectGUID | text | The objectGUID used to identify the user |
address | text | LDAP server address used |
Protected System Type: AWS-1.0.0
| Setting | Value |
|---|---|
| Address | Not required for IAM/Identity Center operations |
| Authentication | AWS IAM credentials (Access Key ID and Secret Access Key) configured as secrets on the Protected System |
AWS actions use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY credentials rather than the standard Bearer/OAuth2 methods. Ensure the IAM user or role has the necessary permissions for each action.
nameKey: aws-add-to-identity-center-group
Description: Add a user to an AWS Identity Center (SSO) group
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userName | Yes | text | Username of the user to add | alice |
identityStoreId | Yes | text | Identity Store ID | d-1234567890 |
groupId | Yes | text | ID of the group to add the user to | a1b2c3d4-5678-... |
region | Yes | text | AWS region | us-east-1 |
Outputs
| Output | Type | Description |
|---|---|---|
userName | text | The username that was added |
groupId | text | The group ID the user was added to |
userId | text | The resolved user ID from the username |
membershipId | text | The ID of the created group membership |
added | boolean | Whether the user was successfully added |
addedAt | datetime | When the addition completed (ISO 8601) |
nameKey: aws-remove-from-identity-center-group
Description: Remove a user from an AWS Identity Center (SSO) group
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userName | Yes | text | Username of the user to remove | alice |
identityStoreId | Yes | text | Identity Store ID | d-1234567890 |
groupId | Yes | text | ID of the group to remove the user from | a1b2c3d4-5678-... |
region | Yes | text | AWS region | us-east-1 |
Outputs
| Output | Type | Description |
|---|---|---|
userName | text | The username that was removed |
groupId | text | The group ID the user was removed from |
userId | text | The resolved user ID from the username |
removed | boolean | Whether the user was successfully removed |
removedAt | datetime | When the removal completed (ISO 8601) |
nameKey: aws-revoke-session
Description: Revoke AWS sessions by applying a deny policy for tokens issued before a specific time
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
roleName | Yes | text | Name of the IAM role to apply the revocation policy to | MyAppRole |
region | Yes | text | AWS region | us-east-1 |
conditions | No | text | Additional conditions to append to the policy (JSON) | {"StringEquals":{"aws:PrincipalTag/env":"prod"}} |
tokenIssueTime | No | datetime | Revoke tokens issued before this time (defaults to now) | ${sgnl.time.now} |
Outputs
| Output | Type | Description |
|---|---|---|
roleName | text | The role name that was updated |
policyName | text | The name of the policy that was applied |
tokenIssueTime | datetime | The token issue time used for revocation |
applied | boolean | Whether the policy was successfully applied |
appliedAt | datetime | When the policy was applied (ISO 8601) |
nameKey: aws-revoke-user-access-tokens
Description: Revoke all AWS access tokens for a user by deleting all their access keys
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userName | Yes | text | IAM username whose access keys should be deleted | alice |
region | Yes | text | AWS region | us-east-1 |
Outputs
| Output | Type | Description |
|---|---|---|
userName | text | The user whose access tokens were revoked |
keysDeleted | number | Number of access keys that were deleted |
revoked | boolean | Whether the revocation was successful |
revokedAt | datetime | When the revocation completed (ISO 8601) |
Protected System Type: Box-1.0.0
| Setting | Value |
|---|---|
| Address | https://api.box.com |
| Authentication | Bearer, Basic, OAuth2 Client Credentials, or OAuth2 Authorization Code |
nameKey: box-revoke-session
Description: Terminate all active sessions for a Box user
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userId | Yes | text | The Box user ID to revoke sessions for | 12345678 |
userLogin | Yes | The Box user email/login | [email protected] | |
address | No | text | Box API base URL override | https://api.box.com |
Outputs
| Output | Type | Description |
|---|---|---|
userId | text | The Box user ID that was processed |
userLogin | text | The Box user login/email that was processed |
sessionsTerminated | boolean | Whether the sessions were successfully terminated |
terminatedAt | datetime | When the termination completed (ISO 8601) |
message | text | Response message from the Box API |
Protected System Type: CAEPTransmitter-1.0.0
| Setting | Value |
|---|---|
| Address | SET delivery endpoint (e.g., https://customer.okta.com/) |
| Authentication | Bearer (signed JWTs are generated automatically; the Bearer token here authenticates to the stream receiver’s management API if required) |
CAEP actions transmit Security Event Tokens (SETs) to a CAEP-compliant receiver according to the Shared Signals Framework (SSF). The subject identifies the affected principal, and the audience field specifies the intended recipient.
nameKey: caep-assurance-level-change
Description: Transmits a Continuous Access Evaluation Protocol (CAEP) Assurance Level Change event as a Security Event Token (SET) to a specified endpoint
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subject | Yes | text | Subject identifier JSON | {"format":"email","email":"[email protected]"} |
audience | Yes | text | Intended recipient of the SET | https://customer.okta.com/ |
namespace | Yes | text | Assurance level namespace | NIST-AAL |
current_level | Yes | text | Current assurance level value | 2 |
previous_level | No | text | Previous assurance level value | 1 |
change_direction | No | text | increase or decrease | increase |
initiating_entity | No | text | Entity that initiated the change | policy |
reason_admin | No | text | Admin-readable reason (JSON i18n or plain string) | MFA upgraded |
reason_user | No | text | User-readable reason | Your security level has been updated |
address | No | text | Destination URL override | https://customer.okta.com/ |
Valid namespace values: RFC8176, RFC6711, ISO-IEC-29115, NIST-IAL, NIST-AAL, NIST-FAL
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Transmission status (success or failed) |
statusCode | number | HTTP response status code |
body | text | HTTP response body |
retryable | boolean | Whether the error is retryable |
nameKey: caep-credential-change
Description: Transmits a Continuous Access Evaluation Protocol (CAEP) Credential Change event as a Security Event Token (SET) to a specified endpoint
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subject | Yes | text | Subject identifier JSON | {"format":"email","email":"[email protected]"} |
audience | Yes | text | Intended recipient of the SET | https://customer.okta.com/ |
credential_type | Yes | text | Type of credential that changed | password |
change_type | Yes | text | Type of change: create, revoke, update, or delete | revoke |
friendly_name | No | text | Human-readable name for the credential | Corporate Password |
x509_issuer | No | text | X.509 certificate issuer (for x509 credential type) | CN=corp-ca |
x509_serial | No | text | X.509 certificate serial number | 0x1A2B3C |
fido2_aaguid | No | text | FIDO2 Authenticator Attestation GUID | adce0002-... |
initiating_entity | No | text | Entity that initiated the change | admin |
reason_admin | No | text | Admin-readable reason | Password expired |
reason_user | No | text | User-readable reason | Your password has been reset |
address | No | text | Destination URL override | https://customer.okta.com/ |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Transmission status |
statusCode | number | HTTP response status code |
body | text | HTTP response body |
retryable | boolean | Whether the error is retryable |
nameKey: caep-device-compliance-change
Description: Transmits a Continuous Access Evaluation Protocol (CAEP) Device Compliance Change event as a Security Event Token (SET) to a specified endpoint
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subject | Yes | text | Subject identifier JSON | {"format":"email","email":"[email protected]"} |
audience | Yes | text | Intended recipient of the SET | https://customer.okta.com/ |
previous_status | Yes | text | Previous compliance status: compliant or not-compliant | compliant |
current_status | Yes | text | Current compliance status: compliant or not-compliant | not-compliant |
initiating_entity | No | text | Entity that initiated the change | system |
reason_admin | No | text | Admin-readable reason | Device out of compliance |
reason_user | No | text | User-readable reason | Your device is no longer compliant |
address | No | text | Destination URL override | https://customer.okta.com/ |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Transmission status |
statusCode | number | HTTP response status code |
body | text | HTTP response body |
retryable | boolean | Whether the error is retryable |
nameKey: caep-session-revoked
Description: Transmits CAEP Session Revoked events as Security Event Tokens (SET)
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subject | Yes | text | Subject identifier JSON | {"format":"email","email":"[email protected]"} |
audience | Yes | text | Intended recipient of the SET | https://customer.okta.com/ |
initiating_entity | No | text | What initiated the session revocation | policy |
reason_admin | No | text | Administrative reason for revocation | Policy violation detected |
reason_user | No | text | User-facing reason | Your session has been ended |
address | No | text | Destination URL override | https://customer.okta.com/ |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result (success or failed) |
statusCode | number | HTTP status code from the SET receiver |
body | text | Response body from the SET receiver |
retryable | boolean | Whether the error is retryable |
nameKey: caep-token-claims-change
Description: Transmits a Continuous Access Evaluation Protocol (CAEP) Token Claims Change event as a Security Event Token (SET) to a specified endpoint
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subject | Yes | text | Subject identifier JSON | {"format":"email","email":"[email protected]"} |
audience | Yes | text | Intended recipient of the SET | https://customer.okta.com/ |
claims | Yes | text | JSON of changed token claims | {"role":"viewer","department":"finance"} |
initiating_entity | No | text | Entity that initiated the change | admin |
reason_admin | No | text | Admin-readable reason | Role downgraded |
reason_user | No | text | User-readable reason | Your access level has changed |
address | No | text | Destination URL override | https://customer.okta.com/ |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Transmission status |
statusCode | number | HTTP response status code |
body | text | HTTP response body |
retryable | boolean | Whether the error is retryable |
Generic actions are available on any Protected System regardless of type. They are useful for custom integrations or one-off HTTP calls.
nameKey: generic-sse-transmitter
Description: Transmits Security Event Tokens (SET) for CAEP and other security events
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
type | Yes | text | Security event type URI | https://schemas.openid.net/secevent/caep/event-type/session-revoked |
audience | Yes | text | Intended recipient | https://customer.okta.com/ |
subject | Yes | text | Subject identifier JSON | {"format":"email","email":"[email protected]"} |
eventPayload | Yes | text | Event-specific payload as JSON string | {"initiating_entity":"admin"} |
address | No | text | Destination URL override | https://customer.example.com/push |
addressSuffix | No | text | Suffix to append to the base address | /api/events |
customClaims | No | text | Custom JWT claims as JSON string | {"tenant":"acme"} |
subjectFormat | No | text | Subject placement: SubjectInEventClaims (CAEP 2.0/Okta) or SubjectInSubId (CAEP 3.0) | SubjectInSubId |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Transmission status (success or failed) |
statusCode | number | HTTP status code from the SET receiver |
body | text | Response body from the SET receiver |
retryable | boolean | Whether the error is retryable |
nameKey: generic-webhook
Description: Generic webhook action for making custom HTTP requests
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
method | Yes | text | HTTP method | POST |
address | No | text | Full URL (overrides Protected System address) | https://api.example.com/users/suspend |
addressSuffix | No | text | Path suffix to append to the base address | /v2/disable |
requestBody | No | text | JSON request body | {"userId":"${trigger.User.id}"} |
requestHeaders | No | text | JSON object of custom headers | {"X-Custom-Header":"value"} |
acceptedStatusCodes | No | array | Additional HTTP status codes to treat as success | [404, 409] |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result status |
data | object | Response data containing statusCode, body, success, and executedAt |
Access nested response fields as ${outputs['generic-webhook'].data.body.<field>}.
Protected System Type: Google-1.0.0
| Setting | Value |
|---|---|
| Address | https://iam.googleapis.com (Workforce Identity) or https://admin.googleapis.com (Workspace) |
| Authentication | Bearer, OAuth2 Client Credentials, or OAuth2 Authorization Code |
Google Workspace session revocation requires a service account with domain-wide delegation or OAuth2 Authorization Code with the Admin SDK https://www.googleapis.com/auth/admin.directory.user.security scope.
nameKey: google-delete-workforce-user
Description: Delete a workforce user from Google Cloud IAM Workforce Identity
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subjectId | Yes | text | Subject ID of the workforce user to delete | contractor-alice |
workforcePoolId | Yes | text | ID of the workforce pool | my-workforce-pool |
address | No | text | Google IAM API base URL override | https://iam.googleapis.com |
Outputs
| Output | Type | Description |
|---|---|---|
workforcePoolId | text | The workforce pool ID that was processed |
subjectId | text | The subject ID that was deleted |
deleted | boolean | Whether the user was successfully deleted |
alreadyDeleted | boolean | Whether the user was already deleted (404 response) |
deletedAt | datetime | When the deletion completed (ISO 8601) |
nameKey: google-revoke-session
Description: Sign out a Google Workspace user from all web and device sessions
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userKey | Yes | text | User’s primary email, alias email, or unique user ID | [email protected] |
address | No | text | Google Admin SDK API base URL override | https://admin.googleapis.com |
Outputs
| Output | Type | Description |
|---|---|---|
userKey | text | The user key that was signed out |
sessionRevoked | boolean | Whether the session was successfully revoked |
revokedAt | datetime | When the session was revoked (ISO 8601) |
nameKey: google-undelete-workforce-user
Description: Undelete a workforce user from Google Cloud IAM Workforce Identity
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subjectId | Yes | text | Subject ID of the workforce user to undelete | contractor-alice |
workforcePoolId | Yes | text | ID of the workforce pool | my-workforce-pool |
address | No | text | Google IAM API base URL override | https://iam.googleapis.com |
Outputs
| Output | Type | Description |
|---|---|---|
workforcePoolId | text | The workforce pool ID that was processed |
subjectId | text | The subject ID that was undeleted |
undeleted | boolean | Whether the user was successfully undeleted |
alreadyActive | boolean | Whether the user was already active (not deleted) |
undeletedAt | datetime | When the undeletion completed (ISO 8601) |
Protected System Type: HashiCorpBoundary-1.0.0
| Setting | Value |
|---|---|
| Address | Your Boundary deployment base URL, e.g. https://boundary.example.com |
| Authentication | Basic (Boundary admin username and password) |
The Boundary admin credentials are used to obtain a token for API operations. The authMethodId input on each action specifies which Boundary auth method to use during login.
nameKey: hashicorp-boundary-add-user-to-group
Description: Add a user to a group in HashiCorp Boundary
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
groupId | Yes | text | The Boundary group ID to add the user to | g_1234567890 |
userId | Yes | text | The Boundary user ID to add | u_1234567890 |
authMethodId | Yes | text | The Boundary auth method ID for login | ampw_1234567890 |
Outputs
| Output | Type | Description |
|---|---|---|
groupId | text | The group ID that was processed |
userId | text | The user ID that was added |
authMethodId | text | The auth method ID used for authentication |
userAdded | boolean | Whether the user was successfully added to group |
addedAt | datetime | When the operation completed (ISO 8601) |
nameKey: hashicorp-boundary-cancel-sessions
Description: Cancel active sessions in HashiCorp Boundary
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
sessionId | Yes | text | The Boundary session ID to cancel | s_1234567890 |
authMethodId | Yes | text | The Boundary auth method ID for login | ampw_1234567890 |
Outputs
| Output | Type | Description |
|---|---|---|
sessionId | text | The session ID that was processed |
authMethodId | text | The auth method ID used for authentication |
sessionCancelled | boolean | Whether the session was successfully cancelled |
cancelledAt | datetime | When the cancellation completed (ISO 8601) |
nameKey: hashicorp-boundary-remove-user-from-group
Description: Remove a user from a group in HashiCorp Boundary
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
groupId | Yes | text | The Boundary group ID to remove the user from | g_1234567890 |
userId | Yes | text | The Boundary user ID to remove | u_1234567890 |
authMethodId | Yes | text | The Boundary auth method ID for login | ampw_1234567890 |
Outputs
| Output | Type | Description |
|---|---|---|
groupId | text | The group ID that was processed |
userId | text | The user ID that was removed |
authMethodId | text | The auth method ID used for authentication |
userRemoved | boolean | Whether the user was successfully removed from group |
removedAt | datetime | When the operation completed (ISO 8601) |
Protected System Type: Okta-1.0.0
| Setting | Value |
|---|---|
| Address | https://your-tenant.okta.com |
| Authentication | Bearer — use an Okta API token prefixed with SSWS (e.g., SSWS SomeToken) |
Okta also supports proprietary SSF/CAEP event types (Device Risk Change, User Risk Change) transmitted as SETs to Okta’s Security Event Token endpoint.
nameKey: okta-assign-user-to-group
Description: Assign an Okta user to a group for access management
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userId | Yes | text | The Okta user ID to assign | 00u1a2b3c4d5e6f7 |
groupId | Yes | text | The Okta group ID | 00g1a2b3c4d5e6f7 |
address | No | text | Okta API base URL override | https://your-tenant.okta.com |
Outputs
| Output | Type | Description |
|---|---|---|
userId | text | The user ID that was assigned |
groupId | text | The group ID the user was assigned to |
assigned | boolean | Whether the user was successfully assigned |
address | text | The Okta API base URL used |
assignedAt | datetime | When the user was assigned (ISO 8601) |
nameKey: okta-create-user
Description: Create a new user in Okta with profile attributes and group assignments
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
email | Yes | text | User’s email address | [email protected] |
login | Yes | text | User’s login/username | [email protected] |
firstName | Yes | text | First name | Alice |
lastName | Yes | text | Last name | Smith |
department | No | text | Department | Engineering |
employeeNumber | No | text | Employee number | EMP-001 |
groupIds | No | text | Comma-separated Okta group IDs | 00g1...,00g2... |
additionalProfileAttributes | No | text | JSON of additional profile attributes | {"title":"Engineer"} |
address | No | text | Okta API base URL override | https://your-tenant.okta.com |
Outputs
| Output | Type | Description |
|---|---|---|
id | text | The Okta user ID of the created user |
status | text | The user’s status in Okta |
created | datetime | When the user was created (ISO 8601) |
activated | datetime | When the user was activated (ISO 8601) |
statusChanged | datetime | When the user’s status last changed (ISO 8601) |
lastLogin | datetime | When the user last logged in (ISO 8601) |
lastUpdated | datetime | When the user was last updated (ISO 8601) |
profile | object | The user’s profile information |
groupIds | array | List of group IDs the user was assigned to |
address | text | The Okta API base URL used |
nameKey: okta-device-risk-change
Description: Transmits an Okta Device Risk Change event as a Security Event Token (SET) to a specified endpoint
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subject | Yes | text | Subject identifier JSON | {"format":"email","email":"[email protected]"} |
audience | Yes | text | Intended recipient | https://your-tenant.okta.com/ |
previous_level | Yes | text | Previous device risk level | low |
current_level | Yes | text | Current device risk level | high |
initiating_entity | No | text | Entity that initiated the change | system |
reason_admin | No | text | Admin-readable reason | Device jailbreak detected |
reason_user | No | text | User-readable reason | Device risk level changed |
address | No | text | Destination URL override | https://your-tenant.okta.com/ |
Valid risk levels: high, medium, low, secure, none
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Transmission status |
statusCode | number | HTTP response status code |
body | text | HTTP response body |
retryable | boolean | Whether the error is retryable |
nameKey: okta-revoke-session
Description: Revoke all active sessions for an Okta user
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userId | Yes | text | The Okta user ID whose sessions should be revoked | 00u1a2b3c4d5e6f7 |
address | No | text | Okta API base URL override | https://your-tenant.okta.com |
Outputs
| Output | Type | Description |
|---|---|---|
userId | text | The user ID whose sessions were revoked |
sessionsRevoked | boolean | Whether sessions were successfully revoked |
address | text | The Okta API base URL used |
revokedAt | datetime | When the sessions were revoked (ISO 8601) |
nameKey: okta-suspend-user
Description: Suspend an Okta user account, preventing them from logging in
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userId | Yes | text | The Okta user ID to suspend | 00u1a2b3c4d5e6f7 |
address | No | text | Okta API base URL override | https://your-tenant.okta.com |
Outputs
| Output | Type | Description |
|---|---|---|
userId | text | The user ID that was suspended |
suspended | boolean | Whether the user was successfully suspended |
address | text | The Okta API base URL used |
suspendedAt | datetime | When the user was suspended (ISO 8601) |
status | text | The user’s status in Okta after suspension |
nameKey: okta-unassign-user-from-group
Description: Remove an Okta user from a group to revoke access
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userId | Yes | text | The Okta user ID to remove | 00u1a2b3c4d5e6f7 |
groupId | Yes | text | The Okta group ID to remove the user from | 00g1a2b3c4d5e6f7 |
address | No | text | Okta API base URL override | https://your-tenant.okta.com |
Outputs
| Output | Type | Description |
|---|---|---|
userId | text | The user ID that was removed |
groupId | text | The group ID the user was removed from |
removed | boolean | Whether the user was successfully removed |
address | text | The Okta API base URL used |
removedAt | datetime | When the user was removed (ISO 8601) |
nameKey: okta-unsuspend-user
Description: Unsuspend an Okta user account, allowing them to log in again
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userId | Yes | text | The Okta user ID to unsuspend | 00u1a2b3c4d5e6f7 |
address | No | text | Okta API base URL override | https://your-tenant.okta.com |
Outputs
| Output | Type | Description |
|---|---|---|
userId | text | The user ID that was unsuspended |
unsuspended | boolean | Whether the user was successfully unsuspended |
address | text | The Okta API base URL used |
unsuspendedAt | datetime | When the user was unsuspended (ISO 8601) |
status | text | The user’s status after unsuspension (typically ACTIVE) |
nameKey: okta-update-user
Description: Update an existing user’s profile in Okta using their login/email as identifier
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
login | Yes | text | User’s login/email identifier | [email protected] |
firstName | No | text | New first name | Alice |
lastName | No | text | New last name | Smith |
email | No | text | New email address | [email protected] |
department | No | text | New department | Platform |
employeeNumber | No | text | New employee number | EMP-002 |
additionalProfileAttributes | No | text | JSON of additional profile attributes | {"title":"Staff Engineer"} |
address | No | text | Okta API base URL override | https://your-tenant.okta.com |
Outputs
| Output | Type | Description |
|---|---|---|
id | text | The Okta user ID of the updated user |
status | text | The user’s status in Okta |
created | datetime | When the user was created (ISO 8601) |
activated | datetime | When the user was activated (ISO 8601) |
statusChanged | datetime | When the user’s status last changed (ISO 8601) |
lastLogin | datetime | When the user last logged in (ISO 8601) |
lastUpdated | datetime | When the user was last updated (ISO 8601) |
profile | object | The user’s updated profile information |
address | text | The Okta API base URL used |
nameKey: okta-update-user-by-id
Description: Update an existing user’s profile in Okta using their Okta userId as identifier
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userId | Yes | text | User’s Okta userId | 00u1a2b3c4d5e6f7 |
firstName | No | text | New first name | Alice |
lastName | No | text | New last name | Smith |
email | No | text | New email address | [email protected] |
department | No | text | New department | Platform |
employeeNumber | No | text | New employee number | EMP-002 |
additionalProfileAttributes | No | text | JSON of additional profile attributes | {"title":"Staff Engineer"} |
address | No | text | Okta API base URL override | https://your-tenant.okta.com |
Outputs
| Output | Type | Description |
|---|---|---|
id | text | The Okta user ID of the updated user |
status | text | The user’s status in Okta |
created | datetime | When the user was created (ISO 8601) |
activated | datetime | When the user was activated (ISO 8601) |
statusChanged | datetime | When the user’s status last changed (ISO 8601) |
lastLogin | datetime | When the user last logged in (ISO 8601) |
lastUpdated | datetime | When the user was last updated (ISO 8601) |
profile | object | The user’s updated profile information |
address | text | The Okta API base URL used |
nameKey: okta-user-risk-change
Description: Transmits an Okta User Risk Change event as a Security Event Token (SET) to a specified endpoint
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
subject | Yes | text | Subject identifier JSON | {"format":"email","email":"[email protected]"} |
audience | Yes | text | Intended recipient | https://your-tenant.okta.com/ |
previous_level | Yes | text | Previous user risk level | low |
current_level | Yes | text | Current user risk level | high |
initiating_entity | No | text | Entity that initiated the change | policy |
reason_admin | No | text | Admin-readable reason | Suspicious login activity |
reason_user | No | text | User-readable reason | Your risk level has changed |
address | No | text | Destination URL override | https://your-tenant.okta.com/ |
Valid risk levels: high, medium, low, secure, none
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Transmission status |
statusCode | number | HTTP response status code |
body | text | HTTP response body |
retryable | boolean | Whether the error is retryable |
Protected System Type: SailpointIdentityNow-1.0.0
| Setting | Value |
|---|---|
| Address | https://your-tenant.api.identitynow.com |
| Authentication | OAuth2 Client Credentials (using the SailPoint client ID and secret from your IdentityNow tenant) |
nameKey: sailpoint-identity-now-disable-account
Description: Disable an account in SailPoint IdentityNow
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
accountId | Yes | text | The ID of the account to disable | 2c9180835d2e5168015d32f890ca1581 |
address | No | text | SailPoint IdentityNow API base URL override | https://your-tenant.api.identitynow.com |
externalVerificationId | No | text | External verification ID for the operation | ext-verify-001 |
forceProvisioning | No | boolean | Force provisioning of the disable operation (default false) | false |
Outputs
| Output | Type | Description |
|---|---|---|
accountId | text | The ID of the account that was disabled |
disabled | boolean | Whether the account was successfully disabled |
taskId | text | The ID of the provisioning task created |
message | text | Additional information about the operation |
disabledAt | datetime | When the account was disabled (ISO 8601) |
address | text | The SailPoint IdentityNow API base URL used |
nameKey: sailpoint-identity-now-enable-account
Description: Enable an account in SailPoint IdentityNow
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
accountId | Yes | text | The ID of the account to enable | 2c9180835d2e5168015d32f890ca1581 |
address | No | text | SailPoint IdentityNow API base URL override | https://your-tenant.api.identitynow.com |
externalVerificationId | No | text | External verification ID for the operation | ext-verify-002 |
forceProvisioning | No | boolean | Force provisioning of the enable operation (default false) | false |
Outputs
| Output | Type | Description |
|---|---|---|
accountId | text | The ID of the account that was enabled |
enabled | boolean | Whether the account was successfully enabled |
taskId | text | The ID of the provisioning task created |
message | text | Additional information about the operation |
enabledAt | datetime | When the account was enabled (ISO 8601) |
address | text | The SailPoint IdentityNow API base URL used |
nameKey: sailpoint-identity-now-grant-access
Description: Request access to resources in SailPoint IdentityNow
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
identityId | Yes | text | The ID of the identity requesting access | 2c9180835d2e5168015d32f890ca1581 |
itemType | Yes | text | Type of access item: ACCESS_PROFILE, ROLE, or ENTITLEMENT | ROLE |
itemId | Yes | text | The ID of the access item to grant | 2c9180835d2e5168015d32f890ca2345 |
itemComment | No | text | Comment for the access request | Approved by SGNL policy |
itemRemoveDate | No | text | ISO 8601 date when access should be removed | 2026-12-31T00:00:00Z |
clientMetadata | No | text | Arbitrary key-value pairs as JSON string | {"requestedBy":"sgnl"} |
itemClientMetadata | No | text | Item-level key-value pairs as JSON string | {"priority":"high"} |
address | No | text | SailPoint IdentityNow API base URL override | https://your-tenant.api.identitynow.com |
Outputs
| Output | Type | Description |
|---|---|---|
requestId | text | The ID of the access request created |
identityId | text | The identity ID for which access was requested |
itemType | text | The type of access item requested |
itemId | text | The ID of the access item requested |
status | text | The status of the access request |
requestedAt | datetime | When the access request was created (ISO 8601) |
address | text | The SailPoint IdentityNow API base URL used |
nameKey: sailpoint-identity-now-revoke-access
Description: Request to revoke access to resources in SailPoint IdentityNow
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
identityId | Yes | text | The ID of the identity | 2c9180835d2e5168015d32f890ca1581 |
itemType | Yes | text | Type of access item: ACCESS_PROFILE, ROLE, or ENTITLEMENT | ROLE |
itemId | Yes | text | The ID of the access item to revoke | 2c9180835d2e5168015d32f890ca2345 |
itemComment | Yes | text | Comment for the revocation request (required) | Access no longer needed |
itemRemoveDate | No | text | ISO 8601 date when access should be removed | 2026-06-01T00:00:00Z |
clientMetadata | No | text | Arbitrary key-value pairs as JSON string | {"revokedBy":"sgnl"} |
itemClientMetadata | No | text | Item-level key-value pairs as JSON string | {"priority":"high"} |
address | No | text | SailPoint IdentityNow API base URL override | https://your-tenant.api.identitynow.com |
Outputs
| Output | Type | Description |
|---|---|---|
requestId | text | The ID of the access request created |
identityId | text | The identity ID for which access was revoked |
itemType | text | The type of access item requested |
itemId | text | The ID of the access item requested |
status | text | The status of the access request |
requestedAt | datetime | When the access request was created (ISO 8601) |
address | text | The SailPoint IdentityNow API base URL used |
Protected System Type: Salesforce-1.0.0
| Setting | Value |
|---|---|
| Address | https://your-instance.salesforce.com |
| Authentication | OAuth2 Client Credentials or OAuth2 Authorization Code |
The Salesforce Connected App must have the api and refresh_token scopes. For OAuth2 Client Credentials, use the token URL https://login.salesforce.com/services/oauth2/token.
nameKey: salesforce-add-to-permission-set
Description: Add a user to a permission set in Salesforce
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
username | Yes | text | Salesforce username to add to the permission set | [email protected] |
permissionSetId | Yes | text | Salesforce permission set ID | 0PS000000000001 |
address | No | text | Salesforce API base URL override | https://your-instance.salesforce.com |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
username | text | The username that was processed |
userId | text | Salesforce user ID that was found |
permissionSetId | text | Permission set ID that was assigned |
assignmentId | text | Permission set assignment ID (if created) |
address | text | The Salesforce API base URL used |
nameKey: salesforce-remove-from-permission-set
Description: Remove a user from a permission set in Salesforce
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
username | Yes | text | Salesforce username to remove from the permission set | [email protected] |
permissionSetId | Yes | text | The ID of the permission set | 0PS000000000001 |
address | No | text | Salesforce API base URL override | https://your-instance.salesforce.com |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
username | text | The username that was processed |
userId | text | The Salesforce User ID |
permissionSetId | text | The permission set ID |
assignmentId | text | The permission set assignment ID that was removed |
removed | boolean | Whether the permission set assignment was actually removed |
address | text | The Salesforce API base URL used |
nameKey: salesforce-revoke-session
Description: Revoke all sessions for a user in Salesforce
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
username | Yes | text | Salesforce username to revoke sessions for | [email protected] |
address | No | text | Salesforce API base URL override | https://your-instance.salesforce.com |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
username | text | The username for which sessions were revoked |
userId | text | The Salesforce user ID |
sessionsRevoked | number | Number of sessions that were revoked |
processed_at | datetime | When the operation completed (ISO 8601) |
address | text | The Salesforce API base URL used |
Protected System Type: Slack-1.0.0
| Setting | Value |
|---|---|
| Address | https://slack.com |
| Authentication | Bearer — use a Slack Bot User OAuth Token prefixed with Bearer |
The Slack Bot Token requires the users:read.email, users:admin, and chat:write scopes. For session revocation, the admin.users:write scope is also required.
nameKey: slack-revoke-session
Description: Revoke all active sessions for a Slack user by email address
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userEmail | Yes | Email address of the Slack user | [email protected] | |
delay | No | text | Delay between API calls (e.g., 100ms, 1s) | 100ms |
address | No | text | Slack API base URL override | https://slack.com |
Outputs
| Output | Type | Description |
|---|---|---|
userEmail | text | The email address that was processed |
userId | text | The Slack user ID resolved from the email |
sessionsRevoked | boolean | Whether the sessions were successfully revoked |
revokedAt | datetime | When the revocation completed (ISO 8601) |
nameKey: slack-send-direct-message
Description: Send a direct message to a Slack user by email
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
text | Yes | text | Message text to send | Your access has been updated by SGNL. |
userEmail | Yes | text | Email address of the Slack user | [email protected] |
delay | No | text | Delay between API calls | 100ms |
address | No | text | Slack API base URL override | https://slack.com |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
userEmail | text | The email address of the user the message was sent to |
userId | text | The Slack user ID resolved from the email |
text | text | The message text that was sent |
ts | text | The timestamp of the sent message from Slack API |
ok | boolean | Whether the Slack API call was successful |
nameKey: slack-send-message
Description: Send a message to a Slack channel via API or webhook
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
text | Yes | text | Message text to send | Alert: access policy triggered for [email protected] |
channel | No | text | Slack channel name or ID (required for API mode) | #security-alerts |
isWebhook | No | boolean | Use webhook mode instead of API mode (default false) | false |
address | No | text | Slack API base URL (API mode) or webhook URL (webhook mode) | https://slack.com |
Outputs
| Output | Type | Description |
|---|---|---|
status | text | Operation result |
text | text | The message text that was sent |
channel | text | The channel where the message was sent (API mode only) |
ts | text | Message timestamp returned by Slack (API mode only) |
ok | boolean | Whether the Slack API response was successful |
mode | text | The delivery mode used (webhook or api) |
Protected System Type: Snowflake-1.0.0
| Setting | Value |
|---|---|
| Address | https://api.snowflakecomputing.com |
| Authentication | Bearer, Basic (username/password), OAuth2 Client Credentials, or OAuth2 Authorization Code |
nameKey: snowflake-revoke-session
Description: Revoke all active sessions for a Snowflake user by disabling and re-enabling the account
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
username | Yes | text | The Snowflake username to revoke sessions for | ALICE |
delay | No | text | Delay between disable and re-enable operations | 100ms |
address | No | text | Snowflake API base URL override | https://api.snowflakecomputing.com |
Outputs
| Output | Type | Description |
|---|---|---|
username | text | The Snowflake username that was processed |
sessionsRevoked | boolean | Whether the sessions were successfully revoked |
userDisabled | text | Statement handle or status for the disable operation |
userReEnabled | text | Statement handle or status for the re-enable operation |
revokedAt | datetime | When the revocation completed (ISO 8601) |
Protected System Type: Zoom-1.0.0
| Setting | Value |
|---|---|
| Address | https://api.zoom.us |
| Authentication | Bearer, OAuth2 Client Credentials, or OAuth2 Authorization Code |
For OAuth2 Client Credentials, use the token URL https://zoom.us/oauth/token and configure a Server-to-Server OAuth app in the Zoom Marketplace.
nameKey: zoom-revoke-session
Description: Revoke SSO token for a Zoom user
Inputs
| Input | Required | Type | Description | Example |
|---|---|---|---|---|
userId | Yes | text | The Zoom user ID to revoke SSO token for | abc123DEF456 |
address | No | text | Zoom API base URL override | https://api.zoom.us |
Outputs
| Output | Type | Description |
|---|---|---|
userId | text | The Zoom user ID that was processed |
tokenRevoked | boolean | Whether the SSO token was successfully revoked |
revokedAt | datetime | When the revocation completed (ISO 8601) |